The development of computer systems and networks allowed the physical separation of user applications and data storage. For instance, server technology provides for storing any kind of data, such as files, e-mails, databases etc., on a powerful server computer. Thus, smaller and cheaper computer systems, such as user terminals, desktop computers, mobile device etc. could be used to gain access to the server computer and its stored data. For example, companies and offices were able to build up data communication networks between user terminals and server computers or other network storage devices. Such data communication networks are also referred to as local area networks (LAN), since they are usually limited to a specific geographical area, e.g. a building, a floor, a plurality of rooms etc.
With the development of wide-area networks, such as the internet or public telephone networks, the local area networks could be interconnected and accessed from any geographically independent computing device. Further, the computer networks of different organizations can be connected to exchange data, for example, for collaboration. The telephone networks were also capable of transmitting data, and hence allowed the access to a local network from any user terminal connected to a telephone line.
The downsizing of computing devices further expedited the use of external network connections to gain access to a local area network. For instance, the employee of a company is able to access the company's network and computing devices from home or from a hotel using a mobile device.
The accessibility of local area networks from public networks, however, came with the risk that malicious users were also able to access computing devices and data of a local network, such as that of a company.
A solution to protect a network from outside attacks is a firewall installed on a particular network node. This particular network node is the only device connected to the public or external network and is also connected to the local network. Thus, the local network could be separated from the public or external network. Examples of such a network node are a proxy server, a gateway, a router or a bridge to name a few.
These devices may also have an integrated firewall to control network traffic between the local network and the wide-area or public network. A firewall blocks many connections from the outside and provides secure access to the local network for authorized computing devices only. One such secure access technique is known as virtual private networks (VPNs), where two devices create a secure connection for data communication over a public network. Such a virtual private network provides a data communication interface between a user terminal and a gateway that protects a private or local network. For instance, a VPN client can be implemented on any user terminal, for example on a laptop of an employee, which is configured to establish a secure connection to the gateway within the network of his firm. Since the gateway and the VPN client can be preconfigured, they are able to authenticate themselves and to exchange security measures, such as cryptographic keys for encrypting and decrypting the data communication.
In addition, particular protocols have been established to allow the exchange of secure information, for example during the setup of a VPN. For instance, a VPN client needs to authenticate itself at the gateway, so that the gateway will allow the access of the local network protected by the gateway. One of these authentication protocols is the internet key exchange protocol (IKE) which handles the negotiation of protocols and generates the encryption/authentication keys used by a security protocol. This security protocol may, for example, be internet protocol security (IPsec). Other security protocols may be a combination of hypertext transfer protocol (HTTP) and secure socket layer (SSL), also referred to as hypertext transfer protocol secure (HTTPS).
With the growing mobility of user terminals the provision of broadband network connections, such as DSL, also increases. For example, public hotspots providing wireless network connections to their customers or cable-based public access points, such as an internet kiosk or a hotel, become more and more available. These publicly-available networks may also be protected, e.g. using a router or gateway similar to the one described above. Again, for security reasons such a router or gateway will only allow particular connections to the wide-area network.
For instance, a hotel may offer to its customers an internet connection via broadband. Thus, the router or gateway may allow outgoing connections on particular network ports which are necessary for internet access. Using the internet for the end user means in most cases surfing the World Wide Web with a web browser, e.g. Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, etc. The standard communication to visit websites is HTTP-based. Further, standardized protocols, e.g. Transmission Control Protocol (TCP), will have standardized ports for network traffic. In the example above, TCP uses ports 80 and 443 for HTTP and HTTPS connections, respectively. Thus, some providers, such as a hotel or an internet kiosk, may restrict connections to the outgoing ports 80 and 443.
This restriction to two available ports only may, however, affect the establishment of other secure network connections. In particular, while the average users should not encounter any problems when surfing the web, business users who need secure connections to access their company networks cannot access their headquarters due to the limitation to ports 80 and 443.
If a secure connection may use a different standardized protocol or another proprietary protocol which does not use one of the above ports, such secure connection may not be established due to the restrictions set by the provider.
It is therefore an object of the invention to provide a method and system for communicating data between two devices via a restrictive network node.